With the enactment of the new Law on Personal Data Protection (“Law”) in 2020, North Macedonia largely harmonized its data protection legislation with the EU General Data Protection Regulation (GDPR).
Data controllers and data processors to which the Law applies must ensure compliance with the data protection requirements by 24 August 2021 at the latest. If not, they could face the new and severe penalty policy, which includes fines up to 2% and up to 4% of the total annual income of the legal entity from the previous financial year per misdemeanour, while for non-compliance with the provisions for video surveillance, controllers (legal entities) can be fined ranging between EUR 1,000 and EUR 10,000. The fines envisaged for natural persons – controllers or processors, or responsible persons within controllers or processors are smaller – around several hundreds of EUR.
There is no officially defined path that a company should take to comply with the Law. Data controllers should assess their current data protection system and identify the additional steps that need to be undertaken in a data protection compliance action plan. The steps can include adoption of all-new and/or amendment of existing internal data protection acts, implementing data protection by design and by default, keeping internal records of processing activities, carrying out an assessment of the impact of the envisaged processing operations on the protection of personal data etc.
With around 60 days left until the deadline for achieving compliance, it is recommendable that data controllers and data processors that have not initiated the compliance process yet, do so as soon as possible.